What is GHSA-88m5-cm5m-2596?

GHSA-88m5-cm5m-2596 is a security advisory published by GitHub Security Advisories with Medium severity. Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token...

Which CVE IDs does GHSA-88m5-cm5m-2596 cover?

GHSA-88m5-cm5m-2596 covers the following CVE IDs: CVE-2026-43618. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-88m5-cm5m-2596?

GHSA-88m5-cm5m-2596 has a CVSS v3 base score of 8.1, published by GitHub Security Advisories.

GHSA-88m5-cm5m-2596MediumCVSS 8.1

Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token...

Vendor

GitHub Security Advisories

Published

May 20, 2026

Last Modified

May 20, 2026

🔗 CVE IDs covered (1)

CVE-2026-43618 →

📋 Description

Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation.

🔗 References (5)

https://github.com/RsyncProject/rsync/security/advisories/GHSA-g37v-g3gj-pmwq
https://nvd.nist.gov/vuln/detail/CVE-2026-43618
https://github.com/RsyncProject/rsync/releases/tag/v3.4.3
https://www.vulncheck.com/advisories/rsync-integer-overflow-information-disclosure
https://github.com/advisories/GHSA-88m5-cm5m-2596